In order for Advanced Password Services (APS) to enforced every realm defined in the Policy Database must have Authentication and Authorization APS events enabled, except the Change Password realm. The instructions outlined use 'test' objects. The SiteMinder administrator configuring these objects will want to change the name to something more meaningful to their organization.

Instructions:

Create a directory on the web server called ‘test’ This is the resource will be protected by the realm will create next.

Create a domain (“Test Domain”) and a realm (“Test Realm”) to protect the resource ‘/test’. The agent must be the aps web agent. Basic auth is fine.

There must be three Rules defined in every Realm, except the Change Password realm.

– An OnAuthAccept rule to catch password expiration, password change warnings and other events that occur, even though the user properly authenticates.

– An OnAuthReject rule to catch "three strikes you’re out" and other events that occur when SiteMinder accepts, but APS rejects, the user.